System and method to use a cloud-based platform supported by an api to authenticate remote users and to provide pki- and pmi- based distributed locking of content and distributed unlocking of protected content

ABSTRACT

A security system for authenticating users and protecting content that provides an application program interface (API) with a Cloud Platform integration (Platform) to extend the security capabilities of Public Key Infrastructure and Privilege Management Infrastructure systems to authenticated external users and protected content.

This application is a continuation of and claims priority to U.S. patentapplication Ser. No. 14/715,588, filed May 18, 2015, which claimspriority under 35 U.S.C. §119(e) from U.S. Provisional PatentApplication No. 61/994,885, filed May 17, 2014, titled “A System withPKI- & PMI-Based Distributed Locking, Unlocking and AutomatedDistribution of Protected Content,” and from U.S. Provisional PatentApplication No. 62/133,371, filed Mar. 15, 2015, titled “A Cloud-basedPlatform supported by API(s) and SDK(s) providing a System with PKI- &PMI-Based Distributed Locking, Unlocking and Automated Distribution ofProtected Content and/or Scoring of Users and/or Scoring of End-EntityAccess Means,” all of which are incorporated herein by reference and forall purposes.

U.S. patent application Ser. No. 14/715,588 is a continuation-in-partand claims priority under 35 U.S.C. §120 from co-pending U.S. patentapplication Ser. No. 14/218,897, tilted “System And Method To EnablePki- And Pmi-Based Distributed Locking Of Content And DistributedUnlocking Of Protected Content And/Or Scoring Of Users And/Or Scoring OfEnd-Entity Access Means—Added,” filed Mar. 18, 2014, by Graham, et al,which claimed priority under 35 U.S.C. §119(e) from U.S. ProvisionalPatent Application No. 61/792,927, filed Mar. 15, 2013, entitled “SystemAnd Method To Enable Pki- And Pmi-Based Distributed Locking Of ContentAnd Distributed Unlocking Of Protected Content And/Or Scoring Of UsersAnd/Or Scoring Of End-Entity Access Means,” by Kravitz et al., whichincorporated herein by reference and for all purposes and which is acontinuation in part and claimed priority under 35 U.S.C. §120 fromco-pending U.S. patent application Ser. No. 13/481,553, tilted “MethodsAnd Apparatus For Preventing Crimeware Attacks,” filed May 25, 2012, byKravitz, et al, which claimed priority under 35 U.S.C. §119(e) from U.S.Provisional Patent Application No. 61/650,866, filed May 23, 2012,entitled “Method And Apparatus For A Cybersecurity Ecosystem,” byKravitz et al., which is incorporated herein by reference and for allpurposes and which also claimed priority under 35 U.S.C. §119(e) fromU.S. Provisional Patent Application No. 61/490,952, filed May 27, 2011,entitled “Method And Apparatus For A Financial Document ClearinghouseAnd Secure Delivery Network Cybersecurity Ecosystem,” by Graham III etal., which is incorporated herein by reference and for all purposes andwhich is a continuation in part and claimed priority under 35 U.S.C.§120 from U.S. patent application Ser. No. 13/096,764, entitled “MethodsAnd Apparatus For A Financial Document Clearinghouse And Secure DeliveryNetwork,” filed Apr. 28, 2011, by Graham III et al., which claimedpriority under 35 U.S.C. §119(e) from each of the four following U.S.provisional applications: i) U.S. Provisional Patent Application No.61/330,226, filed Apr. 30, 2010, entitled “Clearinghouse Server ForFinancial Data Delivery And Financial Services,” by Graham III et al.,ii) U.S. Provisional Patent Application No. 61/367,574, filed Jul. 26,2010, entitled “Methods And Systems For A Clearinghouse Server ForDelivery Of Sensitive Data,” iii) U.S. Provisional Patent Application61/367,576, filed Jul. 26, 2010, entitled “Methods And Apparatus For AFinancial Document Clearinghouse System,” by Graham III et al., and iv)U.S. Provisional Patent Application No. 61/416,629, filed Nov. 23, 2010,entitled “Methods And Apparatus For Secure Data Delivery And UserScoring In A Financial Document Clearinghouse,” by Graham III et al.,each of which is incorporated by reference and for all purposes.

BACKGROUND

1. Field of the Described Embodiments

The present disclosure relates generally to providing one or moreApplication Programming Interfaces (APIs) integrating with a PlatformService (either Cloud, local server-based, or other) to provide accessand use of one or more of the Platform's features. An example of onesuch feature could be to enable the extension of security credentialsfor entities such as enterprise businesses, government, small business,individuals, systems integrators, independent software vendors andothers, “Entities”, in order to effectuate more secure communicationbetween an Entity and one or more remote third parties (for example,from an enterprise Entity to a third party customer beyond thatenterprise Entities' network firewall).

Most Entities are faced with similar, common security challenges. Formany of such challenges, positive security solutions can sometimes beachieved through the use of cryptography. Cryptographic securitysolutions typically require well-tested solutions which can bechallenging to execute and deliver reliably and securely, even forprofessional experienced in the field. According to Bruce Schneier(respected cryptographer, computer security & privacy specialist, andwriter): “. . . two cryptography truisms. The first is that cryptographyis hard . . . . The second is that cryptographic implementation is hard. . . ” and “We're great at mathematically secure cryptography, andterrible at using those tools to engineer secure systems”. For thesereasons, well-designed, well-executed, tested, cryptographic tools thatprovide useful and flexible solutions that meet actual security needscan be difficult for those Entities to produce for themselves. Thereforea Platform and API with useful and tested cryptographic solutions couldbe of benefit to those Entities.

The Platform with its API(s) and Software Development Kit (SDK) may makeit easier and simpler for software designers, application developers,Entities and others to add sophisticated cryptographic securitysolutions to their applications and/or Entity software solutions. ThePlatform, API and related technology may allow them to devote more timeto meeting software requirements rather than dealing with the uniquechallenges of developing secure cryptographic systems, thereby reducingoverall development time.

SUMMARY OF THE DESCRIBED EMBODIMENTS

Application programmers, including application developers, often provideUsers with software applications that enable various services for theUser. For example, an application may be provided to a user toauthenticate the identity of a remote third party with whom the userdesires to establish an authenticated, secure communication line (asdescribed later herein). In such a case, the application programmer orplatform service provider provisions an API with the authenticationfeature, and exposes various inputs to permit the user to activate thefeature to implement the feature. The application programmer mayimplement the service of authentication based on knowledge ofapplication programming interfaces (APIs) that are offered by varioustechnology service and/or platform providers. Each platform or serviceprovider tends to have proprietary or specific APIs used to invoke theservices it offers. The application programmer utilizes the APIsprovided by the provider, with the appropriate parameters, to invoke thedesired feature (e.g., authentication of a remote third party).

API (Application Programming Interface) may include a set of routines,protocols, and tools for building software applications that utilizethose specific routines, protocols and tools. Generally an API isconsidered to be a software component in terms of its definedoperations, inputs, outputs, and underlying types. The Platform API maydefine and provide access to (and use of) the unique functionalities ofthe Platform. A software developer may incorporate the API into his/hersoftware application. An API may make it easier to develop a softwareapplication by providing some of the building blocks required by anapplication developer, which he/she may then put together.

APIs may be created and offered using various methods such as SOAP (SOAPstands for Simple Object Access Protocol, and is XML based). Another isREST (short for Representational State Transfer. REST uses standard HTTPmethods). More description of common API technology can be found athttp://en.wikipedia.org/wiki/Application_programming_interface

A Platform is often hosted in the Cloud (e.g., “Cloud computing”;“Platform as a Service”). Cloud computing (seehttp://en.wikipedia.org/wiki/Cloud_computing). At the foundation ofcloud computing is the broader concept of converged infrastructure andshared services. Cloud computing, or in simpler shorthand just “thecloud”, also focuses on maximizing the effectiveness of the sharedresources.

The Platform, as disclosed herein, may also be hosted on a server withinan Entity business network or elsewhere other than in the Cloud.

The Platform may support application developers to build software byemploying the SDK tools to better use the capabilities of the API inorder to control, access and utilize the features and functions of thePlatform. Using any of these capabilities, for this disclosure, anEntity and/or User could gain access to one or more of the security,authentication, cryptographic, and other capabilities as disclosedherein and/or priority claims hereof, including U.S. Provisional PatentApplications No. 61/994,885 and 62/133,371.

The Platform and API solutions disclosed herein may provide aUser-Directed, Authenticated, Cryptography-Enabling, Security-FocusedEcosystem (the “Security Ecosystem” as described in Appendix A ofApplication No. 62/133,371) through which an Entity and/or an Entity's“Users” (i.e., customers, clients, prospects, vendors, associates,employees, and/or others with whom an Entity may have a need to sharesensitive information) can use one or more of the components of theSecurity Ecosystem to address one or more security challengesencountered by an Entity and/or User.

Some examples of capabilities that might be accessed through thePlatform and API may include (but are not limited to) the followingfeatures: Cross-Certification (the Platform may cross-certify anEntity's authorized identities with those of another trusted Entity thatalso uses the Platform; cross-certification may result in identities onone Entity being recognized by another Entity in order to facilitateinter-Entity, secure, point-to-point encrypted communication withtrusted identities). Go Paperless with Users (may eliminate someprinting and postage costs of sending statements and/or invoices (and/orother digital content) and/or alternatively the cumbersome practice ofrequiring Users to login and manually retrieve such digital content, byimplementing a process of encrypting such digital content, thus allowingfor such digital content to their authenticated recipients fordecryption). Digital Transaction Signing (which may support regulatoryand/or business needs by providing non-repudiable authorization for somehigh value transactions, e.g., money transfers, account changes, medicalorders, access authorization, etc.). Digital Signatures (may provide anIntegrated, Persistent, Non-Repudiable Digital Signature capabilitybetween an Entity and a User and/or another Entity that could facilitatethe efficiency and reliability of remote document execution). AuditTrails (may provide an integrated Digital, Non-Repudiable, verifiableAudit Trail capability confirming chain of custody, access, etc. ofencrypted digital files which, in turn, may reduce fraud). 2-FactorAuthentication (may provide an integrated, digital, 2-factorauthentication capability to greatly enhance the reliability of remoteauthentication and approvals as compared to common SMS messagingtechniques). Tunable Security (the platform and/or API may include aseries of configurable authorization controls, limitations andmonitoring capabilities, together with tunable security tools and suchfeatures may be configured controlled by an Entity and/or Users.)

Benefits of the possible solutions that could be offered through thePlatform and API are numerous with some of them being described as oneor more of the following: a core security solution together with add-on,customizable features that can integrate and evolve with existingsecurity solutions; a capability to enable an Entity to invite Users orindividuals to a secure communication line without exposing the EntityInfrastructure; a function to allow an Entity system administrator totrack, monitor and/or audit transmitted encrypted digital content; acapability to create a separate database of associates and affiliates,including the right to revoke any invitation or relationship; acapability for an Entity to send encrypted digital content outside anEntity firewall with a result being that such digital content may be assecure (or more secure) than within that firewall; a capability tointegrate Platform and/or API data records with Active Directory (or asimilar system) as well with an Entity's PKI (Public KeyInfrastructure); a reduction in “Data Spawn” (i.e., a tendency ofunencrypted sensitive digital content to be copied and transferred toanother person, Entity and/or location and possibly copied andtransferred repeatedly with a result being that the original sensitivedigital content may become located in multiple places and/or withmultiple individuals or entities, thus reducing its security) throughthe capabilities of the Platform and API whereby digital content may betransferred to multiple places and/or with multiple individuals orentities in an encrypted format and may be stored in an encryptedformat, thus reducing an uncontrolled and/or un-audited distribution ofunencrypted sensitive digital content.

The actions of the Platform may be selectively changed, controlled andutilized via the API through Entity-written code, thus providingapplication-specific security software required by an Entity or end User(such functions may be unique, custom, common or generic). Thefunctionality of the Platform may include the cryptographic securityfunctionality desired by the Entity to provide it with one or moreneeded products, functions, solutions, capabilities, etc. For examplethese may include: the inviter-invitee protocol; authenticationfunctions; audit trail capabilities; or other products, functions,solutions, capabilities etc. as described in this disclosure and/or itspriority claims, etc.

A Platform SDK (Software Development Kit) may include a set of softwaredevelopment tools that may allow a software developer to create customsoftware applications to utilize the capabilities of the Platform and/orAPI. A Platform and/or API in general may also be used or accessed byother Platforms. An example of this is the Uber platform (www.uber.com)which uses the Twilio API and platform (www.twilio.com) for thetelecommunications needs that Uber provides to its users (e.g., a textthat “your Uber driver has arrived”). Another example is that Uber alsouses the Braintree API and platform (www.braintreepayments.com) forprocessing Uber customers' credit card payments.

One problem to address could be long-stalled “going-paperless”initiatives of some Entities: securely delivering statements, invoices,and other digital content to their Users as opposed to postal mail orthe inconvenient “come and get it” paradigm (requiring Users to log intoEntity websites and manually retrieve such digital assets. Billions ofdocuments need to be delivered annually from Entities to their Users.Mail is expensive. The “come and get it” paradigm of Users logging ontoEntity websites is only partially successful. The “going-paperless”problem is a manifestation of a broader problem confronting Entities:lack of a user-friendly, workable, authenticated, secure B2C and B2Bcommunication capability. It is a challenge today for Entities to easilyand securely exchange sensitive digital content with those outside theirnetworks. The Platform and API Security Ecosystem's integrated softwarecapabilities can ensure that the sensitive digital content, etc., thatEntity users send to third parties who are off the Entity network can bedelivered securely and privately to their correct, authenticatedrecipients.

The Platform and API Security Ecosystem's software is generally orientedto reduce impact on the existing manner in which Entity users create,store and transmit digital content to others. The Platform and APISecurity Ecosystem generally does not transport, store or have access touser's encrypted data. The Platform and API Security Ecosystem generallyattempts to provide security to user's digital assets by providing asystem to protect those assets though encryption, both in transit and atrest.

For Users the Platform and API Security Ecosystem may provide a tool sothat Users may communicate privately, securely and with confidence notonly with their authenticated friends, family and associates, but alsowith their user-created groups (e.g., schools, teams, clubs, politicalorganizations, etc.)

The Platform and API Security Ecosystem (either directly or throughEntities) may offer Users a downloadable application to install on adesktop or mobile device that will “lock” (encrypt) and “unlock”(decrypt) digital content using a cryptographic standard such asAdvanced Encryption Standards (AES 256) as well as possibly otheroptional protocols. An authenticated, authorized recipient of a digitalfile may open it; locked files should not be viewable by advertisers,email or cloud providers, governments or others; private encryption keyscan be held generally by their owners; and identities may beauthenticated through user-managed tools.

As stated on Page 1 of Appendix B of Application No. 62/133,371 (as wellas on Page 1 of Application No. 61/792,927) “The various inventionsdescribed herein contemplate functions or services fulfilled throughservice provider involvement. As stated in the various referencedAPPENDICES, functions or services and/or data and/or keys may be splitacross multiple service providers or servers or systems and/or acrossmultiple components of a given service provider or server or system.”“Server” may also be considered to be a “computing device” with aprocessor(s) and memory.

Such splitting of functions or services and/or data and/or keys(“Items”) across multiple service providers or servers or systems and/oracross multiple components of a given service provider or server orsystem applies to the nature of flexibility of configurations relativeto how those Items could be located on a Platform and/or a Line Serverwithin the network infrastructure of an Entity and/or elsewhere. Suchembodiments of the invention are suggested and/or described in thedescriptions following the above quoted sections in the above priorityfilings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in greater detail below, withreference to the accompanying drawings, in which:

FIG. 1 is a block diagram of an illustrative architecture for interfaceand integration between the network of an Entity, an API and a Platform;and

FIG. 2 is a flowchart illustrating an embodiment of the inventionthrough the establishment of an authenticated relationship with anoutside third party;

DETAILED DESCRIBED EMBODIMENTS

Referring to FIG. 1, an integration framework 100 is provided to supportapplication developers that develop applications and services forEntities and/or Users in order to use the functions and services offeredby the Platform and API. This framework may accommodate development inmultiple languages (101, 102, 103, 104, 105, etc.) together withseamless integration by supporting those languages. The framework maysupport common open protocols (e.g., REST & SOAP). The framework mayprovide integrated class libraries for each of the programming languagessupported. In one embodiment Common Language Specification (CLS) 110allows designers of various languages to write code that is able toaccess underlying library functionality of the Platform Object Serviceslayer 112. The specification 110 functions as a contract betweenlanguage designers and library designers that can be used to promotelanguage interoperability. By adhering to the CLS, libraries written inone language can be directly accessible to code modules written in otherlanguages to achieve seamless integration between code modules writtenin one language and code modules written in another language. (Moreinformation on Common Language Specification can be found under CommonLanguage Infrastructure on Wikipedia:http://en.wkipedia.org/wiki/Common_Language_Infrastructure). Theframework 100 includes an application program interface (API) layer 111.The API layer 111 presents groups of functions that the applications101-105 can call to access the resources and services provided byPlatform Object Services layer 112. By exposing the API functions formultiple Platform services, application developers can create Webapplications and/or direct application calls that can generate, controland/or make full use of the Platform resources, without needing tounderstand the complex interworkings of how those cryptographicallysophisticated Platform resources actually operate or are made available.Moreover, the Web applications can be written in any number ofprogramming languages, and may be translated into an intermediatelanguage supported by a common language runtime 113 and included as partof the Common Language Specification 110. In this way, the API layer 111may provide methods to access all of the Platform resources.Additionally, the framework 100 can be configured to support API and/ordirect calls placed by remote Client Apps of the service (see 20 in FIG.2). This framework may modified for Entity and/or User purposes,particularly if a User is using a limited or dedicated function device,such as a mobile device (tablet, cellular phone, etc.).

Referring to FIG. 2, a Enterprise Entity has a network infrastructure,1, including servers, workstations, firewall, Active Directory, PublicKey Infrastructure (PKI), etc. In this embodiment it has a component ofthe invention with a separate Registration Authority-CertificationAuthority-Attribute Authority-Line Servers combination, 2 (which inanother embodiment may not be present in the enterprise networkenvironment). Both this and the Entity's API Control & Interface Module3 interface with the API 4. On the workstation 5 of an Employee of theEntity, there is a sensitive plain test document (digital content) 6that the employee would like to send to an Outside User 7. Using aninstalled Client App (which includes a Local Key Store Module—LKSM) 8the employee (now an “Inviter”) enters a request 9 into the Client Appto invite the Outside User (now an “Invitee”) to share a securecommunication line between the two of them. The request 9 travels acrossthe network to the Entity's API control and interface module 3. Inconformance with the specifications of the API, the API control andinterface module 3 transmits an invitation request message 10 to theAPI. The API transmits a translated message 11 to the Platform 12. Thefunctions and services of the Platform 13 prepare an invitation responsemessage 14 that is returned to the API 4. In accordance with aspecification, the API converts the response to a message 15understandable by the API control and interface module 3. The APIcontrol and interface module transmits the message 15 across the networkto the Client App 8 on the Inviter workstation 5. The Client Appprepares a message that the Inviter can send in an email 16 whicharrives at the Invitee 17. The Invitee may click on a link in the email(or visits a designated website and enter a unique invitation code whichis provided in the email) to download 18 the client app. The client appis downloaded 19 and installed 20. With the basic install completed, theclient is registered 21 with the Platform. From the Platform the Inviteeis asked a secret question (supplied by the Inviter in the originalinvitation request) to which the Invitee is expected to know the answerand upon supplying that answer, the installation of the LKSM isauthenticated 22 with the Platform and the system. The Client Apprequests permission 23 to make certain cryptographic keys (including aDigital Identity Token--DIT). This is done upon approval 24 from thePlatform with the Invitee's public keys then being sent 25 to thePlatform. The Inviter's public key is received from the Platform 26(which had received it upon the initial installation of the Inviter'sClient App). The functions and services of the Platform 27 process andstore this data and prepare a message 28 that is returned to the API 4.In accordance with a specification, the API converts this message to amessage 29 understandable by the API control and interface module 3 andthe Client App 8. The API control and interface module transmits themessage 29 across the network to the Client App 8 on the Inviterworkstation 5. The Client App 8 updates its LKSM with the invitationauthentication and stores the Invitee's public key.

1. A method in a server or servers, or other computing device or deviceseach including a processor and memory, which provides an integration ofsecurity and/or cryptographic functions which may include one or moreapplications such as: public key infrastructure, privilege managementinfrastructure, certification authority, registration authority,attribute authority, hardware security module, and/or other hardwaresystems and/or software systems and including a method that communicateswith one or more of these applications, which together may be describedas a platform service and be capable of supporting a variety ofsecurity-related functions; such as to enable the extension of securitycredentials for entities such as enterprise businesses, government,small business, individuals, systems integrators, independent softwarevendors and others, in order to effectuate more secure communicationbetween one such entity, which may be referred to as a user, and one ormore such remote third party entity, which also may be referred to as auser, with an example of such being from an enterprise entity to a thirdparty customer entity of that said enterprise entity which will likelyexist beyond that said enterprise entity's network firewall; such thatto access, utilize and/or benefit from the security and/orauthentication capabilities of said applications and/or said platformservice, such a said entity need not have specific knowledge and/orexpertise regarding typical technical requirements, operation and/orcapabilities of how said cryptography and/or security systems function,operate and/or perform and/or accomplish their functions in order forsaid entity to achieve the security needs, features and/or functionsprovided by said platform service; such that an entity might access,utilize and/or benefit from the capabilities of said platform servicethrough the use of an application programming interface which couldaccess and/or utilize designated capabilities of said platform serviceto said entity in a fashion that could require substantially lesstechnical knowledge of security and/or cryptography systems of the partof said entity than might otherwise be required in order for said entityto achieve its desired security-related controls and/or results; suchthat such platform service may integrate with existing security and/orcryptographic applications pre-existing with an entity and therefor notrequire such pre-existing application as a component of said platformservice.
 2. A method of claim 1 where a platform service may be locatedin a server or servers in a cloud computing environment or in a serveror servers, or other computing device or devices within an enterprise orother entity's network or in a server or servers, or other computingdevice or devices located elsewhere, and in any of such cases theplatform service would be accessible by said application programminginterface; such that a platform service in one embodiment may supportthe needs of a single such enterprise entity or in another embodimentbeing located in a cloud computing environment where it may support theneeds of one or many related and/or unrelated entities as well as otherembodiments where it may support entities in other configurations.
 3. Amethod of claim 1 where such an application programming interface mayrun on a server or servers, or other computing device or devices eachincluding a processor and memory such as located within an enterpriseentity's network such that said enterprise entity could use saidapplication programming interface to access said platform service inorder authenticate one or more employee entity, or other individualentity or other entity, which could be referred to as an originatingentity or a remote entity; such as within any other entity's computer ornetwork environment uch that said entity could use said applicationprogramming interface to access said platform service in order toauthenticate one or more other type of entity, such as an employee,customer, or other entity, which could be referred to as an originatingentity, a remote entity or a user; such that the process ofauthentication of any such originating entity, remote entity or userwould include said originating entity, remote entity or user installingan application compatible with such application programming interface onone or more computing devices to be used by said originating entity,remote entity or user.
 4. A method of claim 1 in a server or servers, orother computing device or devices of such entity, such method beingcompatible with the methods of said application programming interface sothat such application programming interface compatible application ormethod is able to communicate via said application programming interfacewith said platform service in order to access, utilize and/or benefitfrom the capabilities of said platform service; such that any suchentity may become an originating entity by using said applicationprogramming interface compatible method to invite one or more remoteentities to establish and authenticate a secure communications line withsaid originating entity by using one or more of the steps of aninviter-invitee protocol; such that the setup of authorizedcommunication lines may involve delegation of authorizations, e.g., asincorporated into said inviter-invitee process; such that real-timecredential management may involve key establishment key pairs and/orencryption-decryption key pairs and/or with digital signatureverification and digital signature generation key pairs; such that saidkey establishment key pairs and/or encryption and decryption key pairsmay be used, in turn, to deliver access to derived, transported and/oragreed-upon symmetric encryption/decryption keys so that plaintextcontent, for example digital content or files, and/or communications,such as messages, may preferably securely be made available to intendedrecipients, such as originating or remote entities, whether internal orexternal to any entity's network.
 5. A method of claim 1 in a server orother computing device including a processor and memory, which togethercould compose an originating entity for a secure communication, thataccesses an application programming interface which could be on the samecomputing device or on a separate, connected computing device includinga processor and memory; in order to deliver pre-defined and formattedrequests to that computing device on which the application programminginterface runs; which requests may be subsequently processed andtranslated by the application programming interface into instructionswhich in turn may be transmitted to a designated and known remote serverwhich may be located in a cloud computing or enterprise or otherenvironment upon which a platform service runs; where functions of saidplatform service are to contribute to the delivery of defined security,authentication, cryptographic, and other security-related capabilities;such that those translated requests from said application programminginterface to said platform service are in a defined format that saidplatform service can understand and can act upon; whereuponpre-determined, desired actions may be implemented via one or moretransferred instruction by the platform service to occur and/or makechanges on separate, known computing devices each with one or moreprocessors and memory which would be operating as a remote entity; suchactions may be communicated from the platform service to the applicationprogramming interface and thereafter to a computing device of anoriginating entity or remote entity with a client software applicationwhich can connect to the application programming interface; oralternatively to a separate computing device connected to said platformservice.
 6. The method of claim 1, wherein data generated by saidplatform service resulting from requests made via said applicationprogramming interface to said platform service or to said platformservice from a separate computing device application used by such remoteentity may be responded to by said platform service to said applicationprogramming interface or to such separate computing device whichresponses may include instructions, steps and/or methods that; enableentities to authenticate themselves remotely to another such entityusing an inviter-invitee protocol; enable an exchange of authenticatedpublic encryption keys between such entities; thereby provide thecapabilities that enable such entities to exchange encrypted documentsbetween themselves and/or other such authenticated entities usingthird-party means.
 7. A method of claim 1 composed of a system ofcommunication comprising: a client software application, a user facingdomain, a key escrow domain, and an inviter-invitee protocol wherein theuser facing domain securely relates to multiple parties via the clientapplication and the key escrow domain authenticates secure lines ofcommunication amongst the parties; said client application in claim 1consisting of but not limited to a local key store module and a digitalidentity token; said user facing domain in claim 1 consisting of but notlimited to a login interface on a server, hardware security module andlightweight directory access protocol application on a server; said keyescrow domain consisting of consisting a registration authority,certificate authority, attribute authority, each being installed on aserver and hardware security module; said inviter-invitee protocolconsisting of multiple steps but not limited to sending an invitation,receiving the invitation, downloading the client app, installation andregistration, authentication, and single or multiple key requests,creation, and exchanges; said invitation consisting of, but not limitedto, a client application with digital identity token, e-mail address,designated attributes, authentication question, answer to authenticationquestion, and a cryptographic digital signature.
 8. A method of securecommunication based on the system of communication in claim 1 wherein apersistent, yet revocable, a secure line of communication is establishedand authenticated; said method in claim 4 and claim 6 wherein the secureline of communication is established by the said invitation protocol inclaim
 7. 9. A method of claim 4 and claim 7 whereby a user on anelectronic device has the ability to install an application that:creates a set of public and private encryption keys for: encrypting anddecrypting documents, digital signing and other purposes; allows a firstuser to invite a second user using a second electronic device to share acommunication line with the first user on the first user's electronicdevice; provides a method whereby the second user may respond to theinvitation of the first user and install a comparable application on thesecond user's electronic device and thereafter have a comparable set ofpublic and private encryption keys on that electronic device; providesan invitation method that will include authentication steps that thesecond user must comply with in a specified method on his electronicdevice so that the identify of the second user, together with theassociated installation of the application on his specific electronicdevice together with that specific electronic device are all linkedtogether in such a manner that the first user can be assured by theserver of the trusted third party or through the use of such applicationprogramming interface and such a platform service, that provided andmonitored the installation and authentication of the client softwareapplication on the physical electronic device controlled by the seconduser confirms this described association through this method; PATENTAPPLICATION 16 DOCKET 129059-216091 such that the public encryption keyof each user is made available to the other user's application in amanner in which the authenticity of the keys is assured by the server ofthe trusted third party or through the use of such applicationprogramming interface and such a platform service, that provided theclient software application to each party, actions which also may becompleted through the use of such an application programming interfaceand such a platform service; such that by relying on the representationand authentication provided through the server of the trusted thirdparty or through the use of such application programming interface andsuch a platform service, that the parties can thereafter use encryptioncapabilities of the client software application client softwareapplication to first encrypt a digital asset on one electronic devicewith a symmetric encryption key followed by the encryption of thatsymmetric encryption key using the public encryption key known to bethat of the other user, followed by having the ability to transfer, inany manner selected by the originating entity, both the encrypteddigital asset together with the symmetric encryption key which has beenencrypted using the public encryption of the second user such that thesecond user, upon receipt of these two will be able to use his privatekey to decrypt the symmetric key and thereafter decrypt the encrypteddigital asset; the applicable steps may be completed through the use ofsuch an application programming interface and such a platform service ordirectly with a server with an accompanying security ecosystem.